Agent Smith Malware Infects 25mn Devices

A variant of malware designed for Android mobile devices, dubbed ‘Agent Smith’, has reportedly been uncovered and is suspected of having infected over 25 million devices, primarily in Asian countries.

The malware has the ability to consume other applications and then assume control of them.  This consume-assume behavior is the reason the malware is named after a baddie in The Matrix.

One of the key dangers of the virus is that it is incredibly hard to identify. While it has only been found to be artificially inflating in-app advertising revenues for the cybercriminals, there is the danger that the perpetrators may have been preparing for more malicious fraudulent activity.

How Does It Work?

Check Point, who uncovered the issue, have stated that the malware has seemingly evolved and could be used to directly target the device/user by taking control of other applications, allowing criminals to eavesdrop and steal user data, such as banking credentials.

The malware works in three phases.  First, an unsuspecting user downloads an infected application, which is often a free app or game.  Once installed, it searches the device for a pre-defined list of popular apps which it can then target immediately or at a later date.  During this phase the malware is decrypted into its original form, exploiting known vulnerabilities without the user being any the wiser.  The third and final phase involves the malware attacking the pre-determined apps by extracting the target app’s APK file and patching it with malicious modules.

The Scale

Check Point estimate that 25 million devices have been infected to date and believe they have identified the firm responsible in Guangzhou, China. They have reported their findings to Google Security who have taken action to address the issue.

Most victims are based in India, Pakistan and Bangladesh, but others have been reported in Australia, the UK, and the USA.

Despite initial suspicions that the attack was sponsored by a government, the culprits appear to have no political affiliation. This could be one of the reasons why it took a long while for the attack to be discovered, as cyber security firms may have been looking for the wrong clues.

Full technical details about Agent Smith are available from Check Point Research here.

Rob Chapman
Rob Chapman
Rob is the Chief Operating Officer of the Risk & Assurance Group (RAG). He is responsible for the planning and execution of each RAG event. Rob's goal is to bring together professionals from across the industry and drive RAG's agenda forward.

Rob started working for RAG full time in 2018, having served as Chair on a voluntary basis for the previous four years.

Before joining RAG, Rob was a senior consultant at Cartesian. He has worked in revenue assurance and billing roles for TalkTalk, Verizon Business, Energis and Hutchinson 3G.